Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Microsoft Security Advisory CVE-2018-0764: Denial of Service when parsing XML documents #52
Microsoft Security Advisory CVE-2018-0764
Denial of Service when parsing XML documents
Microsoft is releasing this security advisory to provide information about a vulnerability in the public versions of .NET Core 1.0 and 1.1, and 2.0. This advisory also provides guidance on what developers can do to update their applications correctly.
Microsoft is aware of a Denial of Service vulnerability in all public versions of .NET core due to improper processing of XML documents. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET Core application.
The update addresses the vulnerability by correcting how .NET core handles XML document processing.
System administrators are advised to update their .NET Core runtimes to versions 1.0.9, 1.1.6 and 2.0.5. Developers are advised to update their .NET Core SDK to version 2.1.4 or 1.1.7. These runtime and SDK versions will also address CVE-2018-0786.
Please use dotnet/corefx#26237 for discussion of this advisory.
The vulnerability affects any Microsoft .NET Core project if it uses any of affected runtime versions listed below
How do I know if I am affected?
To check the runtimes installed on a computer you must view the contents of the runtime folder. By default these are
Each runtime version is installed in its own directory, where the directory name is the version number. If you do not have a directory for 1.0.9, 1.1.6 or 2.0.2 then any applications targeting .NET Core will be vulnerable. Downloads for all supported platforms can be acquired from https://www.microsoft.com/net/download/
How do I fix my affected application?
Applications can be fixed by installing the latest runtimes or SDKs. Typically application servers only install a runtime package, developer machines install SDKs. Installers can be downloaded from the Runtime and SDK download archive. Runtime version 1.1.6 will also install runtime version 1.0.9.
If you have built a self-contained application you must install the new runtime and SDK, recompile your application and redeploy.
Reporting Security Issues
If you have found a potential security issue in .NET Core, please email details to email@example.com. Reports may qualify for the .NET Core Bug Bounty. Details of the .NET Core Bug Bounty including Terms and Conditions are at https://aka.ms/corebounty.
You can ask questions about this issue on GitHub in the .NET Core or ASP.NET Core organizations. These are located at https://github.com/dotnet/ and https://github.com/aspnet/. The Announcements repo for each product (https://github.com/dotnet/Announcements and https://github.com/aspnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue where you can ask questions.
What if the update breaks my application?
An application can be pinned to a previous version of the runtime by editing the application.runtime.config file for that application and editing the framework version and setting
Note that this file is optional, you may need to create it for each application alongside the executable.
V1.0 (Jan 9, 2018): Advisory published.